questions – add them at //j.mp/secure10

Spark the future.

May 4 – 8, 2015Chicago, IL

Ten Ways to Secure Your Office 365 Tenants Brian ReidNBConsult

[email protected] | +44 7973 428875

BRK3191

Questions – add them at http://j.mp/secure10

IntroductionDo you want to ensure that your data in Office 365 is protected?

In this session we will look at ten (or more, I’m not counting) ways to achieve that aim!

Any questions – add them to the Yammer second screen for this presentation (BRK3191)https://www.yammer.com/microsoftignite/uploaded_files/32517088 (or http://j.mp/secure10)

http://j.mp/secure10

https://www.yammer.com/microsoftignite/uploaded_files/32517088

https://www.yammer.com/microsoftignite/uploaded_files/32517088




Password PolicyUse a policy and password expiry to help secure data and service access

Different settings for different types of identityCloud users default to passwords expiring after 90 daysActive Directory synced users password expires based on the on-premises policy

Self-service password resetCloud users can perform self-service password reset (free of charge in Office 365) With Azure Active Directory Basic or Premium subscriptions, self-service reset can also apply to on-premises usersAzure Active Directory Premium provides for password write-back – to allow an on-premises synced used to change their password in the cloud



Self-Service Password ResetIn this demo we will look at the following:Configuring authentication methods in Azure Active DirectorySetting the number of questions required to complete a password resetAdding security questions that can be asked (up to 20 of them)The number of questions needed to register for self service password resetThe number of questions to be answered correctly for password reset to occurThe process of password reset from the viewpoint of the end user

For the user to set the answers required, direct them to http://aka.ms/ssprsetup


http://aka.ms/ssprsetup



Self Service Password Reset Demo

Also see session “BRK3863: Identity and Access Management Everywhere”


Data Loss Prevention (DLP)To ensure that data of a confidential or personal nature cannot be uploaded, shared or emailed as required

Available in SharePoint Online and Exchange OnlineCreate policies to restrict content being saved to SharePoint Online or OneDrive for Business, or shared externally, or emailed. Enforced on create/edit and with during background search crawlingCan create document fingerprints to ensure standard company forms are not distributedCan extend DLP templates to suit business requirements (Exchange only at present)

Reporting and incident management availableBuilt into the Office 365 portal and can have emailed incident reports



Data Loss Prevention In this demo we will look atPolicy tips in Outlook/OWA and OneDrive for Business

A policy exists to block the external distribution of credit cards in Exchange and the uploading of content containing credit cards in SharePoint Online1 to 9 credit cards in the document it will warn the site collection owner and last modifying user and send an incident report to the site admin10 or more credit cards in a document then permissions to the document are blocked except for the site owner, document owner and last modifying user. Fix the compliance issue and all permissions return

Demo to show blocking content uploads

Demo to show DLP integrated into Enterprise SearchSensitiveType="Credit Card Number" OR SensitiveType="ABA Routing Number“ OR "U.S. / U.K. Passport Number"SensitiveType="Credit Card Number|5.." to show documents with five or more credit card numbers in them


Data Loss Prevention Demo

Also see session “BRK3181: End-to-End Data Loss Prevention”


Rights ManagementTo protect documents and email with encryption and an associated usage policy

Document can only be used by the intended recipients for the intended purposeEasy to create policy templates that users can protect documents withPolicies include a name (multi-lingual options available) with description, the usage rights and the group of users who can access the document along with validity periods

Office 365 includes per-file encryption at rest



Rights ManagementIn this demo we will look atThe setting up of the RMS serviceSetting up the rights management configuration in the Office 365 admin portalEnabling Exchange Online via PowerShell (Import keys and then running Set-IRMConfiguration)Enabling SharePoint Online via the admin portal

Creating templates for document protectionUsing RMS in the web based and Office applicationsUsing the RMS Sharing Application and protecting any document


Rights Management Demo

Also see session “BRK3172: Your Encryption Controls in Office 365: Across Devices and Platforms”


Office 365 Message EncryptionProvides the ability to “send” encrypted messages that require the recipient to login to read and reply to the message

Can customise the notification email and portalCan provide one-time passcodes to avoid the recipient having the need to loginRequires that RMS is enabled and configured



Office 365 Message EncryptionIn this demo we will look at:The enabling of the featureEnsuring that RMS is enabled for Exchange Online correctlyConfiguring a transport rule to encrypt or decrypt messages

The end to end processSending an external email with a message classification that causes message encryption to occur

Configuring the email and the portalUsing Exchange Online remote PowerShell:Set-OMEConfiguration "OME Configuration" -Image (Get-Content "C:\Temp\NBConsult\default-logo2.png" -Encoding Byte) -EmailText "You have received an encrypted message from the NBConsult secure messaging system." -PortalText "NBConsult secure email portal"


Message Encryption Demo

Also see session “BRK3172: Your Encryption Controls in Office 365: Across Devices and Platforms”


Mobile Device Management (MDM)To show how a new feature to Office 365 can help you protect data on end user devices

Free with Office 365 commercial subscriptions from May 2015Includes:Conditional Access – device must be compliant with your rules before it can access corporate dataUser level policies – therefore does not matter what device the user uses and can target policies to different groups and usersDevice Management – policies to require different security settings and gain reports on the state of these devicesSelective Wipe – easy to remove corporate data from the device and leave personal data



Mobile Device ManagementIn this demo we will configure corporate policies on an iPhone


Mobile Device Management Demo

Also see session “BRK3113: Device and Data Protection with Mobile Device Management in Office 365”


Multi-Factor AuthenticationProvides the ability to require more than just a username and password to authenticate to Office 365Second factors of authentication include a telephone call, as SMS text or validating the login via an app

Needs something you “know” (a password) and something you have “a mobile phone”Free for Office 365 subscribersCan extend into on-premises and other apps with Azure MFA



Multi-Factor Authentication (MFA) DemoIn this demo we will:Configure Multi-Factor AuthenticationLogin with a browser to Office 365Login with an Office 2013 appusing “modern authentication”“Modern Authentication” is new to Office 2013and Office apps and will be in later versions. Itallows the second factor of authentication tobe used instead of just username and password

VCF File for phone available at http://1drv.ms/1AallXl


Multi-Factor Authentication Demo

Also see session “BRK3136: Modern Authentication for the Office 2013 Clients”


Advanced Threat ProtectionAll Exchange Online mailboxes are protected by Exchange Online Protection as part of the subscription priceAdvanced Threat Protection (coming soon) is an additional subscription offering to protect againstSpear-phishing (the Safe Links feature)Zero-day malware attacks (the Safe Attachments feature)



Advanced Threat Protection DemoIn this demo we will see the Advanced Threat Protection feature set

We will look at configuringsettings and what the enduser sees (or not) in theiremail client and the reports


Advanced Threat Protection Demo

Also see theatre presentation “THR0135: Advanced Threat Protection in Office 365”


Client SecurityProvides the ability to authenticate into Office 365 from your Active Directory and not the Microsoft authentication platformThis also allows single sign-on and various client restrictionsOffice 365 MDM Conditional Access will supersede this feature with various device controls and policies

“Modern Authentication” coming to Office 2013Changes the way Outlook communicates with Exchange Online for authenticationA change from the Microsoft Sign-In Assistant to Active Directory Authentication Library (ADAL)Support for web based authentication platforms across most client applications (i.e. SAML 2.0)



Client Security DemoIn this demo we will look at some AD FS Client Access Policies and see how they can restrict client access to Office 365

The policy will allow access only from a given range of IP addresses


Client Security Demo

Also take the Instructor Led Lab “ILL3851: Windows Server 2012 R2: New Features in Active Directory Federation Services”


Office Client DeploymentProviding the ability to stay up to date with feature and security updates

How to keep client versions of Office up to dateGetting the latest security changesEnsuring that the latest releases don’t break the companyFlexibility with regard to updates (opt in to feature and bug fixes quarterly)

Control using an XML based deployment processsetup.exe /download \\server\share\config32ProPlus.xmlsetup.exe /configure \\server\share\config32ProPlus.xml


Click2Run XML for Download and Deploy<Configuration> <Add SourcePath="\\server\share\Microsoft\Office\365\Software" OfficeClientEdition="32" > <Product ID="O365ProPlusRetail"> <Language ID="en-us" /> <Language ID=“fr-fr" /> </Product> </Add> <Updates Enabled="TRUE" UpdatePath="\\server\share\Microsoft\Office\365\Software" /> <Display Level="Full" AcceptEULA="TRUE" /> <Logging Path="%temp%" /> <Property Name="AUTOACTIVATE" Value="1" /></Configuration>

Also see session “BRK3144: Microsoft Office 365 ProPlus: Have It Your Way!”


Sharing ContentCan enable/disable sharing in the admin portalSitesShare by email address or anonymous linkCan share documents directly as well

ExchangeCalendar sharing

Skype For BusinessThird Party Apps to access your data



Sharing Content DemoIn this demo we will configuring external sharing the and sharing of documents and sites to external users

We will look at how we can see what is shared externally and how we can revoke these rights


Sharing Content Demo

Also see session “BRK3135: OneDrive for Business for B2B External Sharing, IT-Lead Cross-Org Collaboration”


OneDrive For Business Sync RestrictionsDomain safe list restrictions is a new feature to Office 365 (currently rolling out)Ensures that the OneDrive for Business client will only sync document libraries to machines joined to a given domain

Use Set-SPOTenantSyncClientRestriction in SharePoint Online remote PowerShell session to set the Active Directory Domain GUID client must belong to$domains = (Get-ADForest).Domains; foreach($d in $domains) {Get-ADDomain -Identity $d | Select DistinguishedName,ObjectGuid} Set-SPOTenantSyncClientRestriction -Enable -DomainGuids "786548DD-877B-4760-A749-6B1EFBC1190A; 877564FF-877B-4760-A749-6B1EFBC1190A"



SSL and TLSAll services are offered over HTTPSSecure options provided for all protocols (such as POP/IMAP)

Email connectors to and from EOP can be set to opportunistic TLSOpportunistic means “Go secure if you can, insecure if you cannot” – therefore consider your connector security options carefully

In hybrid modes, you are responsible for the security of your bit of the network. Ensure you are not open to SSL attacks such as Heartbleed and POODLE.

SHA-1 Certificate issues in Chrome browser



Office 365 ReportsTo provide you with lots of data on what is happening with your tenant

Report examples include:Browser versions and operating system versions usedOneDrive For Business storageMailbox access by non-ownersRole group changesMalware detections, spam catches and Advanced Threat Protection Auditing administrator actionsAzure AD user activityDLP policy and rule matches



Office 365 Reports DemoIn this demo we will look at some of the reports available and discuss what we can learn from them from a security perspective

Reports are available in the compliance center, the Office 365 portal and under individual services


Office 365 Reports Demo

Also see theatre session “THR0166: Building Custom Reports in the Office Telemetry Dashboard”


Microsoft Cloud Security for Enterprise ArchitectsSystematic approach to securing your identities, data, and applications in the cloudVisio versionPDF version


http://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security.vsdx

http://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security.pdf


Microsoft’s Enterprise Cloud Roadmap

Resources for IT decision makershttp://aka.ms/CloudArchitecture

Map of Microsoft SaaS, PaaS, IaaS, and private cloud offerings

Identity architecture Security architecture Deployment and integration options for

Exchange, Lync, and SharePoint Azure architecture blueprints Cloud design patterns Design stencils


http://aka.ms/CloudArchitecture


Input from YammerI asked if anyone had any suggestions for this presentation on the Ignite network on Yammer

Version control and Holdshttps://www.yammer.com/microsoftignite/#/uploaded_files/32517088?threadId=526833978


https://www.yammer.com/microsoftignite/#/uploaded_files/32517088?threadId=526833978

https://www.yammer.com/microsoftignite/#/uploaded_files/32517088?threadId=526833978

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

http://myignite.microsoft.com/

questions – add them at //j.mp/secure10

Documents

mpsecure10 slide

session brk3144

microsoft office